From patchwork Fri Aug  5 15:54:33 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Cengiz Can <cengiz.can@canonical.com>
X-Patchwork-Id: 1664117
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: bilbo.ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
 unprotected) header.d=canonical.com header.i=@canonical.com
 header.a=rsa-sha256 header.s=20210705 header.b=QnJbShL2;
	dkim-atps=neutral
Authentication-Results: ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com
 (client-ip=91.189.94.19; helo=huckleberry.canonical.com;
 envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=<UNKNOWN>)
Received: from huckleberry.canonical.com (huckleberry.canonical.com
 [91.189.94.19])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by bilbo.ozlabs.org (Postfix) with ESMTPS id 4LzqtW1stWz9sFs
	for <incoming@patchwork.ozlabs.org>; Sat,  6 Aug 2022 01:55:13 +1000 (AEST)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1oJzfA-0003Rk-6g; Fri, 05 Aug 2022 15:55:00 +0000
Received: from smtp-relay-internal-0.internal ([10.131.114.225]
 helo=smtp-relay-internal-0.canonical.com)
 by huckleberry.canonical.com with esmtps
 (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2)
 (envelope-from <cengiz.can@canonical.com>) id 1oJzf9-0003Rb-Bs
 for kernel-team@lists.ubuntu.com; Fri, 05 Aug 2022 15:54:59 +0000
Received: from mail-wr1-f71.google.com (mail-wr1-f71.google.com
 [209.85.221.71])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 19C333F134
 for <kernel-team@lists.ubuntu.com>; Fri,  5 Aug 2022 15:54:58 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com;
 s=20210705; t=1659714898;
 bh=hyy7ff6Xskb6n2LNdFLTWs9gMsE50I/noNSLyluf9vU=;
 h=From:To:Subject:Date:Message-Id:In-Reply-To:References:
 MIME-Version;
 b=QnJbShL2TjSFfaGZ2xNH5k0vkqzVVCnWDOQcltC507is7dmGFXZbWNg5R9UY62LIT
 xWVHogHQa3WSnwDkH7DMgLMSefSbzkv3BuBI8VKCNaBInJS1g+XsXTVS8xXTRJC5u6
 4ON2N/3LnBoRBb3XEjRMt5kjoymrJP3xfM7QgGdQb5Kpb45JSV5lfrzD6tEnMKuYL1
 1pI5xGrxxL0Q4NAlNXSN2pvOlTC8NPSiBbr9cg/ftqwR2stMwishmwunNaY2pvBpfp
 S504qK+4XDNN5KdmgCUkXLKJVpaFM8AmHUcCJ5dT4+aj2wz936g7NG/CoWU7F2Y1Oe
 dNLtnC2wUuTvQ==
Received: by mail-wr1-f71.google.com with SMTP id
 i15-20020adfa50f000000b002207a6887b3so593236wrb.15
 for <kernel-team@lists.ubuntu.com>; Fri, 05 Aug 2022 08:54:58 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:to:from:x-gm-message-state:from:to:cc;
 bh=hyy7ff6Xskb6n2LNdFLTWs9gMsE50I/noNSLyluf9vU=;
 b=dg+CfaxgSySWIcV205akJeClJuLaF9Mvif59uqpNj093gMjBjRNIHMC5IukUHlvZt5
 lyUcnk9z6aP8bnzizTlH8VjJFDRQZtHN+ogeMWvCk0R9fmTUnVePLdpb3qJ6BtjUlHgw
 TAkgD3AdAB1CNHCzOOqlB0ya+Cb75CWEfPCQCvng1GKZU4sNAyeq8ZEQ885frP85Kc1N
 Fb16cR0d4hw0gZP/fPp1sAVcXlVsgSKxz8NvIPERJs6Ps33Idd++sC3NEXOkM3tjq2H/
 7IZQHdEc00mCEaM1xpZ96JPSmYwSifBx4SjllMNUsRuh7B0uF0ANOtIMtO2rQ1ssr2Ew
 87gw==
X-Gm-Message-State: ACgBeo0YMOwFiZVt2b6xkA6Df9PPVeFWfD8+4gGZ24cKHZKZeCv/NVZO
 ZIKgcudmOFy6cZO3B1hKgDXppAyuSl5IQNkjCzqCfZ3WkmIaK+QGDv/CTOfqnZMTgi/77JxHXBg
 lgMuUOHIc9TUujewR5Hb7lXeTw/Zn9fuPT8hQ5STKOQ==
X-Received: by 2002:adf:d4c2:0:b0:21e:ddf3:8b14 with SMTP id
 w2-20020adfd4c2000000b0021eddf38b14mr4840913wrk.355.1659714897218;
 Fri, 05 Aug 2022 08:54:57 -0700 (PDT)
X-Google-Smtp-Source: 
 AA6agR6oEcrrAzRtdCOI2KqZhXVkTs7KqVMl4bzBEkIPopTAsp8TyDuWldVOaq6TFnmfwwQfZdnSGA==
X-Received: by 2002:adf:d4c2:0:b0:21e:ddf3:8b14 with SMTP id
 w2-20020adfd4c2000000b0021eddf38b14mr4840904wrk.355.1659714897015;
 Fri, 05 Aug 2022 08:54:57 -0700 (PDT)
Received: from localhost ([2001:67c:1560:8007::aac:c03c])
 by smtp.gmail.com with ESMTPSA id
 h28-20020a05600c2cbc00b003a4f08495b7sm11170103wmc.34.2022.08.05.08.54.56
 for <kernel-team@lists.ubuntu.com>
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Fri, 05 Aug 2022 08:54:56 -0700 (PDT)
From: Cengiz Can <cengiz.can@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [SRU Bionic PATCH 1/3] fbcon: Disallow setting font bigger than
 screen size
Date: Fri,  5 Aug 2022 18:54:33 +0300
Message-Id: <20220805155434.243360-2-cengiz.can@canonical.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20220805155434.243360-1-cengiz.can@canonical.com>
References: <20220805155434.243360-1-cengiz.can@canonical.com>
MIME-Version: 1.0
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

From: Helge Deller <deller@gmx.de>

commit 65a01e601dbba8b7a51a2677811f70f783766682 upstream.

Prevent that users set a font size which is bigger than the physical screen.
It's unlikely this may happen (because screens are usually much larger than the
fonts and each font char is limited to 32x32 pixels), but it may happen on
smaller screens/LCD displays.

Signed-off-by: Helge Deller <deller@gmx.de>
Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Reviewed-by: Geert Uytterhoeven <geert@linux-m68k.org>
Cc: stable@vger.kernel.org # v4.14+
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
CVE-2021-33655
(cherry picked from commit f7e7c2ad446f359f54f4ea6a0a30b218e5edf134 linux-4.14.y)
Signed-off-by: Cengiz Can <cengiz.can@canonical.com>
---
 drivers/video/fbdev/core/fbcon.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c
index bf0f17f3d62ad..a95a892c2a69a 100644
--- a/drivers/video/fbdev/core/fbcon.c
+++ b/drivers/video/fbdev/core/fbcon.c
@@ -2446,6 +2446,11 @@ static int fbcon_set_font(struct vc_data *vc, struct console_font *font, unsigne
 	if (charcount != 256 && charcount != 512)
 		return -EINVAL;
 
+	/* font bigger than screen resolution ? */
+	if (w > FBCON_SWAP(info->var.rotate, info->var.xres, info->var.yres) ||
+	    h > FBCON_SWAP(info->var.rotate, info->var.yres, info->var.xres))
+		return -EINVAL;
+
 	/* Make sure drawing engine can handle the font */
 	if (!(info->pixmap.blit_x & (1 << (font->width - 1))) ||
 	    !(info->pixmap.blit_y & (1 << (font->height - 1))))